BGP: Credential Management | NSRC Training Resources

View Transcript

So credential management. You might wonder why is that important but it's quite critical to help secure the routing infrastructure. so credentials assert identity who are you and what are you allowed to do and there are many many compromises that at the root of it have to do with very poor credential management practices. Have you heard of Mirai? I would be surprised if you hadn't. Remember that the root of Mirai was compromising vulnerabilities that dealt with telnet, in effect sending credentials in clear-text and even worse having default passwords. So really we need to start looking at how do we help when we're in control of the routing infrastructure to make sure that we're not part of the problem. So how are credentials compromised? There's a variety of ways very often people use the same passwords on many systems. That's really bad practice and it can also lead to sometimes being a victim of a phishing attack because if you're using the same password to log into your routing infrastructure in other areas it gives more of a possibility that a phishing attack can actually work when somebody sends you an email that looks like something you need to click on and enter your credentials. Also if your laptop gets stolen, if you're not encrypting your laptop or if you don't have a spreadsheet with your passwords encrypted then somebody who has access to the stolen laptop could potentially have access to all the passwords in your infrastructure. People also unfortunately send credentials and clear text emails so just to say hey I need for you to log into the router or configure this router and here are the passwords to it it happens. It shouldn't happen and we just have to pay attention to what we're doing. So we need to think about the entire credential management lifecycle and maybe it looks daunting but really it isn't. You just have to think about when you're creating changing or renewing credentials how do you distribute them. Make sure you do it in a secure manner. Also how do you store them and we have to think about mobile devices in these days. So if you're doing something using your iPhone or using some other phone and you have backups in the cloud are you sending information into the cloud i.e. somebody else's computer right and can that be compromised? So just be cognizant of where the data is going. Also how do you actually revoke credentials and how do you destroy them? So just think about the entire lifecycle so that you know that nobody unauthorized gets access to a password and potentially misuse it. It is very important to think about all of the different credentials or passwords that are associated with the routing infrastructure. It's not only you as an operator that would have maybe physical access and have a password to get console access or even telnet or SSH access, you also need to think about all the different credentials that are associated with protocols or management devices, for example SNMP, IPSec, syslog, even secure NTP these days has credentials then we had a module on secure route authentication also called sometimes md5 authentication and there are passwords associated with this. So all of these credentials are something you have to think about. How do you create them? How do you change them? And then how do you store them, distribute them and delete them?

Exercises

Acceptable Use

Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.
You are free to:

Share — copy and redistribute the material in any medium or format
Adapt — remix, transform, and build upon the material
The licensor cannot revoke these freedoms as long as you follow the license terms.
Under the following terms:

Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
NonCommercial — You may not use the material for commercial purposes.
No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.